We have an AD server to which i have successfully connected with LDAP plugin as authentication source. This AD has to be authentication source for "internals" from our university meanwhile OJS internal database authentication is intended for external users. This is typical situation I guess
The problem appears with user registration. I setup LDAP as default authentication source. With enabled user profile synchronization.
During the registration of a new user it really does not matter what password is provided for a user account residing in LDAP. When we provide username existing in LDAP regardless if You provide proper password or not the account is created in OJS but the authorization is possible with the proper LDAP password only - the password entry in database is irrelevant as I could clear it.
Meanwhile OJS claims
Specifying a default authentication source other than OJS has the following effects:
If a user attempts to register a new account with this site with a username that exists on the authentication source (but not in the OJS database), the registration attempt is only allowed if the supplied password is valid for that user account.
I would rather expect explicit denial of a new user creation if the account name is from the LDAP and the password is invalid for that account. That would prevent conflicting of usernames which could appear sooner or later.
Am I doing anything wrong or misunderstand something?
And anticipating prospective problem
How to solve a situation when there in LDAP appears a new user with the same account name as already existing (external) in OJS database?
kind regards and thanks for really great work with PKP